It's a constant struggle for credit card processing giant,
First Data Corp. to become
compliant with the
Payment Card Industry Data Security Standards (PCI DSS), says
First Data's CISO, Phil Mellinger.
Greenwood Village, Co.-based First Data has spent millions on
compliance initiatives to lock down systems from hackers trying to
gain access to the constant stream of credit card data that passes
through the company's massive systems. Hackers are seeking magnetic
strip track data, pin numbers and other identifiable information
that could be sold on the black market and used to make fraudulent
purchases. Mellinger calls it an uphill battle since attacker
methods are growing in sophistication and attacks come in so many
forms.
Speaking to a group of merchants at a recent PCI DSS conference,
Mellinger, who developed the precursor to the current PCI DSS
rules, is calling for an overhaul to eliminate subjectivity and
ease restrictions to get more merchants to meet the standard.
"I would rather they set the bar lower and then raise it once
more merchants have complied," Mellinger said. "The more people we
can get compliant, the better off we are."
Deadlines have been set for merchants to prove compliance by the
end of the year. But so far industry estimates show that more than
60% of merchants fail to meet the current standards.
Mellinger is calling for a PCI DSS status directory in which
compliant merchants and processors are publicly listed. Opponents
say such a directory could be used by hackers to find vulnerable
companies to attack. But Mellinger insists that it would reward
businesses that are compliant and get others to move faster on
compliance projects.
 |
|
Visa hopes encouragement improves lagging PCI DSS adoption:
With deadlines looming, Visa is launching an education campaign to
address the more than 60% of merchants that fail to meet the PCI
Data Security Standards.
PCI DSS auditors see lessons in TJX data breach: Following the
recent TJX data breach, several PCI Data Security Standard auditors
say the retailer violated basic requirements of the PCI DSS. But
they say there are lessons to be learned from TJX's mistakes.
Meet the PCI DSS, avoid being the next TJX:
In this Q&A, Seana Pitt, chairperson of the PCI Security
Standards Council explains how PCI DSS can help companies reduce
risk, and how the council is updating the standard to deal with
new challenges. Pitt is vice president of merchant policy and
data quality at American
Express. |
|
| |
|
Visa, MasterCard, Discover, American Express and JCB have come
together to push merchants and processors to meet the standards.
The goal is to police the payment card industry before legislators
enact regulations to address data security issues.
Convincing merchants to move forward with PCI DSS compliance
projects means getting banks to accept PCI DSS as a proof of
security, Mellinger said. Banks currently don't have much
confidence in the PCI standards and continue to insist on doing
their own on site examination of security procedures, he said. Card
issuers also have different processes, rules and fees that further
complicate the compliance process.
"PCI is the best safeguard to protect a company if there is a
problem and there will be incidents," Mellinger said. "But when
banks come in and do their audits and don't look at the PCI
findings, that's a problem."
Mellinger also said he would like a level playing field when
firms seek compliance. Currently the same standards apply to First
Data's massive data centers as well as a merchant with two servers,
he said. Rules are only slightly different, he said. Under the
standard, businesses that process more than six million credit card
transactions per year are subject to an annual on-site audit and
quarterly network scans. Companies that process 20,000 to 6 million
credit card transactions a year must fill out an annual
self-assessment questionnaire and also conduct quarterly network
scans. Mellinger said the self-assessment questionnaire is too
difficult to understand and accurately answer for some
merchants.
"The bad guys aren't really living off the big merchants,
they're living off of everybody," Mellinger said. "There's a
fallacy out there that they're targeting high volume."